Bron never holds or controls user private keys, funds, or assets. All transactions are user-initiated and executed directly with third-party smart-contract protocols. Swap and staking functions are performed via independent third-party APIs. Bron only provides technical access and does not pool, intermediate, or custody user assets.
Reward Calculation
Rewards are calculated based on the CVSS v4.0 Base score of the vulnerability. The final reward amount is determined by our security team after internal assessment, taking into account Environmental metrics and business context.
Reward ranges vary by scope category.
Every accepted bounty submission entitles the researcher to a non-transferable Bron NFT in addition to the monetary reward listed below. The NFT grants a complimentary Basic tier subscription for 2026 (or an upgrade to the next tier if Basic is already active, capped at Enterprise). To receive any reward, a Bron wallet is required — bounty payments are distributed in stablecoins to the researcher's Bron wallet address.
| Severity Level | CVSS v4.0 Score | Web & API (USD) | Mobile & Desktop (USD) |
|---|---|---|---|
| Low | 0.1 — 3.9 | $50 — $250 | $5 — $50 |
| Medium | 4.0 — 6.9 | $250 — $2,500 | $50 — $1,500 |
| High | 7.0 — 8.9 | $2,500 — $5,000 | $1,500 — $5,000 |
| Critical | 9.0 — 9.4 | $5,000 — $10,000 | $5,000 — $10,000 |
| Exceptional | 9.5 — 10.0 | more than $10,000 | |
Smart contract vulnerabilities are assessed individually (not via CVSS). See the Smart Contracts page for detailed information on assessment criteria and reward ranges ($50 — $12,500+).
If the PoC demonstrates direct financial impact, mass PII leakage, or full account takeover with access to funds, our security team may apply an increased reward within the specified ranges.
Reports including detailed remediation recommendations with code examples or mitigation strategies may receive up to 10% bonus reward.
All bounty payments are made in USD-denominated stablecoins to the researcher's Bron wallet address and are subject to sanctions screening and anti-money-laundering controls consistent with Bron's compliance policy. We cannot process payments to anyone on applicable sanctions lists.
Assessment and Payouts
- Official scoring: CVSS v4.0 (Base score). Researchers specify the Base vector in the report; the final assessment and reward amount is determined by our security team after internal recalculation of Environmental metrics (business context consideration).
- Payouts are determined by vulnerability types. If the discovered vulnerability is not listed, the payout assessment is conducted based on ranges considering the CVSS score (see table below).
- Exploits leading to financial fraud or mass PII leakage increase the payout within the specified ranges.
- No payouts for: duplicates, theoretical reports without reproducible PoC, out-of-scope reports.
- Payouts are made in USD-denominated stablecoins; taxes are the responsibility of the recipient.
Who Gets the Bounty
- The reward goes to the first valid report with sufficient PoC (recorded in our logs: timestamp of incoming email/form + raw e-mail + PoC hashes + auto-response record).
- If two independent reports are received within 48 hours and both contain different, reproducible PoCs, the committee may decide on an equal 50/50 split.
- When refining an already confirmed report — for example, providing an improved PoC, refined exploitation vector, or more detailed impact analysis — the researcher may receive additional compensation at the committee's discretion.
Testing Scope & Reward Applicability
For category-specific reward ranges, impact definitions, and testing requirements, see the dedicated pages: